Is it possible to whitelist the external IPs that access a Google Kubernetes Engine service through an Nginx Ingress

2/18/2019

I have a k8s cluster running on GKE. This cluster uses nginx-ingress to expose some services to the internet. I would like to configure IP whitelisting for a subset of these services, for that I'm using nginx.ingress.kubernetes.io/whitelist-source-range, e.g:

kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/add-base-url: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 30M
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/whitelist-source-range: 81.x.x.x
  generation: 7
  name: my-apps
  namespace: client-apps
  spec:
  rules:
  - host: somehost.com
    http:
      paths:
      - backend:
          serviceName: app1
          servicePort: 8080

With this config my service isn't accessible from a client with that IP. In the NGINX ingress logs I see:

10.0.0.36 - [10.0.0.36] - - [18/Feb/2019:10:34:34 +0000] "GET /xxx HTTP/2.0" 403 0 "https://xxx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"

So the ingress blocks the access of a request from 10.0.0.36. However the actual client IP is 81.x.x.x. Is there a way to filter by the original IP?

-- codependent
google-kubernetes-engine
kubernetes
kubernetes-ingress
nginx-ingress

0 Answers